Notable members of the infosec community are creating impromptu but highly popular virtual events using cheap, off-the-shelf tools.

Following the swift emergence of the COVID-19 crisis, organizers of cybersecurity and hacking conferences of all sizes have been faced with three choices: Cancel their events altogether, postpone them to the presumably better future, or find some way to hold them in a virtual manner on the internet. Wild West Hacking Fest, originally slated for March 10 to March 13 in San Diego, quickly converted itself into a virtual conference and was soon followed by dozens of conferences that modified their plans to accommodate the need for the social distancing.

A new form of non-traditional information security conference has emerged over the past two weeks. These conferences are organized by leading information security professionals who are leveraging existing, off-the-shelf online video conferencing and collaboration tools such as GotToWebinar or Zoom to rapidly mount internet-based alternatives to in-the-flesh confabs.

Maintaining the cybersecurity community

Part of the impetus behind the creation of these virtual events is the drive to maintain some sense of community among cybersecurity professionals, who rely heavily on conferences to exchange information and create professional bonds. “We desperately have to keep people mentally engaged and caring about one another for the short and longer term as we deal with this crisis,” Lesley Carhart, organizer of one of these virtual conferences, tells CSO.

Carhart’s conference, PancakesCon, was a day-long two-track event held on March 22. (PancakesCon is a play on Lesley’s widely followed Twitter account which uses the handle @hacks4pancakes.) The event was seen as a huge success with 1,500 registrants for one track and an expected 3,000 for another. PancakesCon was conceived, developed and held in less than a week and featured two tracks and twenty talks that were half infosec presentations and half hobby demonstrations. For example, the event kicked off with Black Hills Information Security Owner John Strand talking about network threat hunting for the first half of his talk. For the second half, Strand showed the thousands of attendees how to make White Russians using his home kitchen.

This new breed of virtual conferences has the flavor of public service, helping to productively occupy the cybersecurity community’s time as everyone copes with uncertainty and, for many, the unusual nature of working from home. “We can stay inside and keep people inside, and we can help one another make it through,” Carhart, who works as a principal threat analyst at industrial cybersecurity firm Dragos, says.

Conferences are the “social pillars” of the infosec and hacker communities, according to Joe Slowik, who also works at Dragos as a threat intelligence analyst and has stepped in to fill the void left by the shut-down of face-to-face conferences by creating his own virtual conference, CrisisCon. “While relatively minor in the grand scheme of things, such events serve as a great opportunity to reconnect with friends, make new contacts, as well as learning more about the fields we all love,” Slowik wrote on his conference website.

CrisisCon was designed to run for five days, from March 23 to March 27, appearing in two-hour windows that vary each day throughout the week. “The original idea was a 24-hour around-the-world crisis con. Just hop in, hop out and make it happen just to take our minds off of things,” Slowik tells CSO.

Advantages of virtual cybersecurity conferences

Despite the disconcerting conditions under which these conferences have emerged, they may in fact have some benefits over in-person meetings. “Just ease of accessibility goes way up,” Slowik says. “You don't have to worry about travel or lodging. Especially if you're not talking about something that's an all-day or most of the day item or it's just a one- or two-hour drop in kind of thing, that’s an easy ask.”

“Virtual cons allow many more people to participate who can't make it to physical events for numerous reasons,” Carhart says. “I think they're valuable. People were relaxed today. We only had a few issues that needed moderation.”

Other virtual conferences are on the horizon, including one by Tribe of Hackers creator Marcus J. Carey. Bryson Bort, founder and CEO of cybersecurity firm Scythe is launching this week virtual happy hours that will feature speakers addressing a variety of infosec topics.

While Bort’s happy hours, like PancakesCon and CrisisCon, are free to attendees, not all the cybersecurity conferences cropping up online are. Noted conference speaker and operator of the HaveIBeenPwned website Troy Hunt and his partner Scott Helme are moving their premium-only conference Hack Yourself First workshop online starting March 26.

Virtual conferences have limits

Virtual conferences do come with some downsides. “There are limits to what you can achieve with virtual interaction versus physical, natural interaction,” Carhart says.

“The drawback, and it's a really serious one in my opinion, is the face-to-face, sort of mingling, accidental encounter aspect of [live] events are a major if not the most important draw for an in-person information security event,” Slowik says. “Being able to just run into either someone you know or someone you didn't know before and then having the ability to hash out problems in person.”

Yet there’s no doubt virtual conferences can help fill the knowledge void created by isolation. “At least from an information-sharing perspective, if your primary goal is ‘Hey, I want to listen to someone that maybe knows what they're talking about, discuss something pretty cool for a little bit and see if I learned something,’” the virtual events fill the bill, Slowik says.

Despite the dramatically lower cost of hosting virtual conferences, they still entail expenses and a lot of elbow grease. A single webinar for 3,000 attendees costs over $1,000 a month, according to Carhart. Organizing the virtual conferences is a full-time job on top of the organizers’ day jobs.

“I've already been asked to do another one in two weeks,” Carhart says. “Given it took me a week off work to make this one happen, I don't know how plausible that time frame is. I hope to do it again, though.”

Slowik, too, thinks he’ll host another conference online soon after CrisisCon finishes, if only to fulfill his need for distraction from the crisis. “One of the main reasons why I'm even doing this in the first place is almost to distract myself,” Slowik says. “What's something useful that I can do?”